|
Sensitive data resides in hundreds of places throughout an organization—in many different forms—and it moves around. Securing all consumer information whether in transport or while being stored may seem a little excessive, but as hackers become more sophisticated and internal breaches by employees become more frequent, it’s just common sense.
Today’s business environment is compliance-driven, competitive and increasingly fraught with crimes of opportunities from financially motivated hackers and frustrated employees. It is possible to beat the odds by adopting best practices that secure, encrypt and transport personal data for the benefit of all. Going on the offensive, at least in terms of data security, will reduce exposure to security breaches and mitigate the risk of fraud losses, penalties, operational and legal expenses that result from information security incidents.
Who wants to be famous?
The media is not shy about bringing attention to companies that have had security breaches. Why? This information is of great importance to consumers concerned about protecting their identities. From an enterprise standpoint, your goal should be to secure your sensitive business and consumer data to ensure that if a breach occurs, the information is useless to whoever accesses it.
One of the first well-publicized security breaches happened to an information services company, when more than 145,000 people in California and across the nation had to be notified of the breach as required by the California Senate Bill 1386 mandate. Since that time, other companies have rushed to comply with the mandates impacting their industries so as not to endure the scrutiny and reputation damage faced by this company and other companies like it. Since then, over 159 million data records of U.S. residents alone have been breached.
Lawsuits from corporate shareholders, employees, customers and other constituents often follow these breaches and the organization where the breach occurred is generally the loser.
In most industries, customer relationships are paramount. Loss of consumer confidence and the trustful bonds with customers is significant. An independent survey showed that nearly 20 percent of individuals who were informed that their information had been compromised had terminated the relationship with that company. Eleven percent of the respondents had been affected—a fairly large segment of the survey population.
The Rise of Mandates
Information such as Social Security numbers and credit card numbers can be accessed in many ways: by an individual hacking into your system, theft by internal employees, accidental loss of a company laptop, or even through the disappearance of backup tapes that contain critical information. That’s just naming a few.
Regardless of the industry, a multitude of federal, state, industry, corporate and international mandates have been established to protect individuals from having their personal information lost or stolen. These mandates include penalties for not notifying those individuals of the breach.
So what do these data security mandates mean for your business?
First of all, the mandates require secure communication between you and your customers and business partners. This means that you need to make sure that the transaction—as it is being sent across the wire—cannot be seen by anyone. That requires encryption of the data while being transported, as well as when it is stored.
Reliability and automated recovery of failed transmissions is vital. If you’re exchanging data with a business partner and that information fails to get delivered, you want to know when this happens so that the data can be automatically recovered and re-sent successfully.
Your business also needs to be able to audit all transactions and the activities of the transactions, and you must be able to continually evaluate your compliance to the security process.
Lastly, you must be able to trace the process and procedures, including keeping track of software updates. It goes without saying that notification of those affected by the breach is time consuming and costly.
The Road to Compliance
The first step in compliance is to understand with which regulatory laws and mandates your company needs to comply. Assessing the current status of sensitive consumer and credit card information is next. It requires tracing the data through all of your enterprise applications as well as the places that it enters and exits your organization. The output of this stage is a gap analysis to determine what it will take to become compliant.
Implementation follows. This includes making both technological and process changes. When complete, a post implementation review ensures that all gaps are closed and sets you up to be validated by a third-party, as required by some mandates.
Going on the Offense: Five Steps to Securing Customer Data at Rest and in Motion
It goes without saying that protecting your customer’s personal information and business partners’ data also protects your company. Complying with security mandates and passing subsequent audits is really as simple as taking the necessary steps to secure the personal and business data entrusted to you, whether it is being stored or in transit. While most organizations are aware of the necessity to protect stored data, not all are aware that data in motion is also at risk. Fortunately, there are five steps your company can take to mitigate data security risks in your enterprise and with your customers and business partners.
1. No single user should have access to keys.
Several mandates specify that key authority must be restricted to the fewest number of users possible. This means that a security officer may grant rights to a programmer for access, but he does not have access to the keys himself. The same applies to the programmer who has access to use the encryption algorithms, but not rights to the keys. Meeting this requirement means neither has complete control. Making sure users only gain access to the keys on an as-needed basis is also part of the mandate. Key authority must be restricted to the fewest number of users possible.
Another example of the dual control requirement is the masking of account numbers when displayed. This needs to be handled by the software solution itself, not the programmer implementing the solution. In other words, if you allow your programmer to mask the data himself, then you have given him rights to unmask the data too. Programmers should not control the masking, but they can use the results of the masking.
2. Manage keys centrally across the enterprise.
Since many companies have a need to use keys across a variety of databases, applications and platforms, it is important to manage the keys centrally across the enterprise. Companies are often lax about rotating keys. However, with many mandates now requiring this, you must be able to generate, distribute and store strong keys as well as periodically rotating them and destroying old ones.
Using a data security application that allows you to store old keys; retire and/or revoke them without deleting them; replace them with new keys; reinstate them if needed; and provide user-level security access controls to the keys make the process much easier.
What’s even more important about key management is how you securely backup credit card and other sensitive consumer and corporate information to offline media. If you encrypt the data, but store the key used for encryption on the tape, you will be out of compliance. You need to make sure that you have some method of decrypting information from backup media without storing the keys with it.
3. Secure audit logs.
The third way to mitigate security risk comes into play when a breach occurs. In that case, auditors need the ability to review what actions took place within an enterprise to determine how the breach occurred and by whom.
You must record all access to all sensitive information—whether it be the encryption or decryption process, when it took place and by whom. The laws and mandates specifically call out the fields that should be captured.
But simply recording it is not enough. The logs need to be encrypted so they cannot be accessed and altered. When hackers break into a system they generally delete the audit logs so the theft cannot be traced back to them. Therefore, if you store audit information and encrypt the audit logs only to have them deleted by the criminals, you haven’t helped the auditors—and, in this case, you won’t pass the certification requirements for compliance.
Using a data security application that records audit information, encrypts audit logs and periodically stores audit logs in an “audit vault” for safe-keeping makes the process automatic.
4. Encrypt archived data.
All sensitive information that is not yet backed up and stored must be encrypted. If you already encrypt the data and then back it up, you are compliant. There are, however, a few things to keep in mind.
If you use a key to encrypt the information, you cannot store the key on the tape as this can easily be used to decrypt the information. If you cannot store the key on the tape, you will need to manage the keys as discussed earlier. Also, when you go to restore a tape make sure that the proper key is used to decrypt the information. Your key management system must have the intelligence to link the tapes to the keys used to encrypt the data.
5. Restrict inbound and outbound transactions.
The fifth way to mitigate risk pertains to restricting inbound and outbound transactions. An obvious threat comes from external intruders; therefore securing your firewall from outside breaches is imperative. And from an outbound perspective, you do not want sensitive information to exist on any machine that has direct outbound connections. This could lead to inadvertent access to this information.
Ideally, secure connectivity solutions should restrict inbound traffic by examining who it is from and then only allowing validated information into the enterprise through a single, outbound opening in the firewall. The same applies for outbound traffic where the destination should be profiled and allow out only communication originating from an insulated environment, typically within a demilitarized zone.
The threat of data theft—whether at rest or in motion—is real and has given rise to a plethora of data security mandates. The good news is that complying with new data security mandates and passing audits is not difficult if you go on the offense now to mitigate security risks by putting into place these five practices to protect your customer’s personal information and business partners’ data.
About the Author:
Gary Palgon is vice president of Product Management for Atlanta-based nuBridges, the secure eBusiness authority. Reach him directly at gpalgon@nubridges.com or visit www.nubridges.com.
Go Back
|
